diff options
author | James E. Blair <jim@acmegating.com> | 2022-03-22 16:17:36 -0700 |
---|---|---|
committer | James E. Blair <jim@acmegating.com> | 2022-03-24 14:50:20 -0700 |
commit | 6214731f8bd3ce96b2431c1b87bcf64cf43ff3da (patch) | |
tree | 005abf33db5fd323d5448de7254231c34e9ef33b /zuul/ansible | |
parent | dacbf91097c0de308f24a8e22906755e31ed2fc0 (diff) | |
download | zuul-6214731f8bd3ce96b2431c1b87bcf64cf43ff3da.tar.gz |
Fix Ansible plugin loading5.2.0
This corrects a security vulnerability related to loading Ansible
plugins under the `ansible.builtin.*` aliases.
Change-Id: I3a394904765e22080aa038c44bfe26e07a1e86c7
Story: 2009941
Diffstat (limited to 'zuul/ansible')
-rw-r--r-- | zuul/ansible/base/callback/zuul_json.py | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/zuul/ansible/base/callback/zuul_json.py b/zuul/ansible/base/callback/zuul_json.py index 4ed2d01b4..6b8b957bb 100644 --- a/zuul/ansible/base/callback/zuul_json.py +++ b/zuul/ansible/base/callback/zuul_json.py @@ -27,6 +27,7 @@ import datetime import json import os +from ansible.plugins.loader import PluginLoader from ansible.plugins.callback import CallbackBase try: # It's here in 2.3 @@ -202,3 +203,33 @@ class CallbackModule(CallbackBase): outfile.write('\n]\n') v2_runner_on_unreachable = v2_runner_on_ok + + +# Using 'ansible.builtin.command' instead of 'command' bypasses our +# custom plugins, so rewrite any uses of ansible.builtin.X to just X. +# This workaround is temporary until we remove our custom plugins. + +# This happens here because Ansible will load the zuul_json plugin for +# any invocation where we care about restricting access, and this is +# the earliest in the Ansible startup procedure we can access. + +# Monkepatch some PluginLoader methods to rewrite the modules it is +# loading. +orig_get = PluginLoader.get +orig_find_plugin = PluginLoader.find_plugin + + +def mp_get(self, name, *args, **kwargs): + name = name.rsplit('.', 1)[-1] + ret = orig_get(self, name, *args, **kwargs) + return ret + + +def mp_find_plugin(self, name, *args, **kwargs): + name = name.rsplit('.', 1)[-1] + ret = orig_find_plugin(self, name, *args, **kwargs) + return ret + + +PluginLoader.get = mp_get +PluginLoader.find_plugin = mp_find_plugin |